---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: access-to-loki-metrics
  namespace: d8-monitoring
  {{- include "helm_lib_module_labels" (list .) | nindent 2 }}
rules:
  - apiGroups: ["apps"]
    resources:
      - "statefulsets/prometheus-metrics"
    resourceNames: ["loki"]
    verbs: ["get"]
{{- if (.Values.global.enabledModules | has "prometheus") }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: access-to-loki-metrics
  namespace: d8-monitoring
  {{- include "helm_lib_module_labels" (list .) | nindent 2 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: access-to-loki-metrics
subjects:
  - kind: User
    name: d8-monitoring:scraper
  - kind: ServiceAccount
    name: prometheus
    namespace: d8-monitoring
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: access-to-loki-from-http
  namespace: d8-monitoring
  {{- include "helm_lib_module_labels" (list .) | nindent 2 }}
rules:
  - apiGroups: ["apps"]
    resources:
      - "statefulsets/http"
    resourceNames: ["loki"]
    verbs: ["get"]
{{- if (.Values.global.enabledModules | has "prometheus") }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: access-to-loki-from-http
  namespace: d8-monitoring
  {{- include "helm_lib_module_labels" (list .) | nindent 2 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: access-to-loki-from-http
subjects:
  - kind: ServiceAccount
    name: prometheus
    namespace: d8-monitoring
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: access-to-loki-from-http-create
  namespace: d8-monitoring
  {{- include "helm_lib_module_labels" (list .) | nindent 2 }}
rules:
  - apiGroups: ["apps"]
    resources:
      - "statefulsets/http-create"
    resourceNames: ["loki"]
    verbs: ["create"]
{{- if (.Values.global.enabledModules | has "log-shipper") }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: access-to-loki-from-http-create
  namespace: d8-monitoring
  {{- include "helm_lib_module_labels" (list .) | nindent 2 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: access-to-loki-from-http-create
subjects:
  - kind: ServiceAccount
    name: log-shipper
    namespace: d8-log-shipper
{{- end }}
